KISA’s voluntary security audit, Supervalu’s data breach, Krebs on why so many breaches, the sad truth about credit monitoring, and NewGOZ are on this week’s Top 5 InfoSec Reads.
Korea introduces security readiness guideline for private sector
Korea’s Internet and Security Agency (JISA) has a system in place that evaluates information security levels of private companies. The evaluation follows similar standards that government agencies are subject to in order to operate. Compare it to an audit that determines how protected from risk your company is. Korea sets a good example by keep the evaluation voluntary, but the question remains as to how many companies will test their security levels if they aren’t compelled to.
2014 is the year of breached retailers on the cybercriminal calendar. The supermarket chain Supervalu reports 200 stores being affected across the US. A list of affected stores is available here. Supervalu called the breach a criminal intrusion and cautioned card users that while there was no evidence of data misuse or theft, they should be careful all the same (which is sadly becoming a bit of a stock phrase among recently-breached retailers). The breach is reported to have taken place between June and July, but wasn’t reported until almost a month later. The silver lining to data breaches like this is that they may have accelerated a push for chip-and-pin card transactions in the US, which would add a layer of security to credit card data and dramatically improve the protection of personal information. Read more about the Target breach and its consequences in older InfoSec Reads. This also transitions nicely to the question on everyone’s minds…
Brian Krebs touches on the reasons behind the breaches by exploring the specifics on the attacks themselves. Card information stolen from brick-and-mortar stores is more valuable than cards those stolen online, and some carding shops are cutting out the middle-man to maximize profit. He points out that thieves look for the most lucrative results for the least amount of effort---to think like a criminal, abandon all work ethic. Krebs suggests that thieves may be trying to make as much profit as possible before US banks convert to chip-enabled cards in 2014. Krebs also makes the distinction between breaches becoming more common and people being made more aware of them. These types of attacks have been around, and were especially damaging to Sony and Nintendo back in 2011 (do note that these were online and not brick-and-mortar attacks).
Why credit monitoring will not help you after a data breach
Retailers now routinely offer free credit monitoring when they come forward to notify their customers of a data breach. It seems like a good gesture, but credit experts explain that credit monitoring isn’t going to help their customers very much, and may mislead them into a false sense of security. A credit report won’t notify you of unauthorized charges, or reveal the location of the person who stole the payment method. It also won’t disclose individual charges made by the person who stole it. While privacy experts agree that credit monitoring doesn’t help identify fraud, they encouraged customers to take advantage of it when companies like Supervalu offer it for free, but more importantly, that you should review your account statements often for suspicious charges.
Like a bad terminator sequel, Gameover Zeus is back on its feet. NewGOZ demonstrates that attackers are unwilling to let it go quietly into the night and still have some tricks left in their bags. NewGOZ abandons peer to peer, uses fast flux, and uses a new domain generation algorithm generates new domains at a much higher volume than its predecessors. Maybe it can’t be stopped until the individuals behind it are caught, and another Operation Tovar is in order. Past InfoSec Reads articles that cover Zeus and Tovar can be found by clicking on the link.
Comments
You can follow this conversation by subscribing to the comment feed for this post.